AC.1.001 Basic Security Requirements (CMMC Level 1)

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

Source Discussion

Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems.

Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization.

This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses [sic] non-privileged) are addressed in requirement 3.1.2 (AC.1.002).

CMMC Clarification

Control who can use company computers and who can log on to the company network. Limit the services and devices, like printers, that can be accessed by company computers. Set up your system so that unauthorized users and devices cannot get on the company network.


Identify users, processes, and devices that are allowed to use company computers and can log on to the company network [a]. Automated updates and other automatic processes should be associated with the user who initiated (authorized) the process [b]. Limit the devices (e.g., printers) that can be accessed by company computers [c]. Set up your system so that only authorized users, processes, and devices can access the company network [d,e,f].

This practice, AC.1.001, controls system access based on user, process or device identity. AC.1.001 leverages IA.1.076, which provides a vetted and trusted identity for access control required by AC.1.001.


Example 1

You are in charge of IT for your company. You give a username and password to every employee who uses a company computer for their job. No one can use a company computer without a username and a password. You give a username and password only to those employees you know have permission to be on the system. When an employee leaves the company, you disable their username and password immediately.

Example 2

A coworker from the marketing department tells you their boss wants to buy a new multi- function printer/scanner/fax device and make it available on the company network. You explain that the company controls system and device access to the network, and will stop non-company systems and devices unless they already have permission to access the network. You work with the marketing department to grant permission to the new printer/scanner/fax device to connect to the network, then install it.


FAR Clause 52.204-21 b.1.i

NIST SP 800-171 Rev 1 3.1.1

CIS Controls v7.1 1.4, 1.6, 5.1, 14.6, 15.10, 16.8, 16.9, 16.11

NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4


NIST SP 800-53 Rev 4 AC-2, AC- 3, AC-17

AU ACSC Essential Eight

Internet Safety Day 2021

Today, Tuesday, 9 February 2021, we celebrate the 18th edition of Safer Internet Day with actions taking place right across the globe. With a theme once again of “Together for a better internet”, this day calls upon all stakeholders to join together to make the internet a safer and better place for all, and especially for children and young people. would like to share a few links to some useful content that can help you, your family, and your business.

Internet Safety 101 The Ultimate Guide for Parents

This is the ultimate, easy-to-digest guide to keeping your family safe online.

Let’s get straight to the point:

As parents, we worry about our kids and the internet. We want to keep them safe but aren’t always sure how. Where do we start?

Right here.

This Internet Safety 101 guide issimple to follow and very practical.

If you want to be clued-up and confident but are short on time, we made this for you.

You’re going to see the issues and risks and be given actionable tips for protecting your family.

Let’s dive right in.

Retrieve from –

Safer Internet Day 2021: History, Theme And Tips For Personal Online Security

The safer internet day is celebrated in February each year and this year, Feb. 9 marks the day. The day was launched in the U.K. to raise awareness about correct internet practices and reflect on the concerns around the online world such as cyberbullying and other forms of online harassment.

The day focuses on a range of topics, including consent, ownership, and data privacy, and also aims to rid the online world of malevolence of any sort and ensure the security of children and adults alike.

CMMC Level 3 Control – Email Sandboxing (SI.3.220)

In the CMMC process, one of the controls that many organizations may have some issues understanding or implementing is Email Sandboxing or SI.3.220.  An overview for this control states an organization should utilize sandboxing to detect or block potentially malicious email.  The action can prevent malicious files from entering the network and should be document in the Configuration Management Policy.

An email sandbox provides an isolated environment to execute an attached file or linked URL.  Before allowing attachments or links to be opened on the production network, they are executed within the sandbox and their behavior is observed. By opening these files or links in a protected environment, the system detects malicious activity before it is introduced into the network.

Office365 and its Advance Threat Protection can provide these services with their URL Detonation and Dynamic Delivery.  The Dynamic Delivery feature allows recipients to read and respond to emails while the attachment is being scanned. Dynamic Delivery delivers emails to the recipient’s inbox along with a “placeholder” attachment notifying the user that the real attachment is being scanned—all with minimal lag time.  If a user clicks the placeholder attachment, they see a message showing the progress of the scan. If the attachment is harmless, it seamlessly re-attaches to the email so the user can access it. If it is malicious, Office 365 Advanced Threat Protection will filter out the attachment.

URL Detonation can be enabled through the policy controls in the Safe Links admin window under settings. To enable URL Detonation, select the “On” radio button and then select the Use Safe Attachments to scan downloadable content checkbox.

Dynamic Delivery can be activated through the policy controls from the Safe Attachments admin control window under Settings. Simply select the Dynamic Delivery radio button.

Other email services also provide the sandboxing service as well.  For example, this feature is available with G Suite Enterprise and G Suite Enterprise for Education.  So, contact your email provider if you are not sure.

Password Security Question Recommendations

Can these answers be found on your Facebook account, or other social media accounts?  Things like, what city did you grow up in?  What is your dog’s name? What is your favorite book? What was your first job? What is your mother’s maiden name?

It is risky to post this information on social media because of security questions.  Security questions exist on pretty much every website that requires a username and password.  So for instance, does something like this look familiar?  It asks you first to enter in your birthday, then it asks you for your security questions, such as those just mentioned.

These are things that friends know, that family members know and that anyone who is a social media connection can likely find out.  Typically, users are very honest when it comes to security questions.  Whenever they ask for their pet’s name, they enter their pet’s name.  Malicious parties can utilize your social media account to find the answers to these questions, which then allows then to reset your password.

This is especially a concern when people’s Facebook, Twitter or other accounts are public.  Anyone can search the Internet, find your account, and then view the information on that account.  The best practice is not not be honest when filling out these questions.  Just threat the security questions as another password field.  If it asks you for your pet’s name.  Enter something completely unrelated.  If it asks for your mother’s maiden name, do the same thing, enter something completed unrelated.

Now you do not have that security concern of giving strangers answers to these questions.  Also check out our best practices to creating passwords.

Let me know if you agree with this recommendation.

Zoom enacts security and privacy control to prevent Zoombombing

Zoom enacts security and privacy control to prevent Zoonbombing

In our recent article, “What is Zoombombing and how to defend against it” we explained Zoombombing is when an unauthorized person or stranger joins a Zoom meeting/chat session and causes disorder by saying offensive things and even photobombing your meeting by sharing pornographic and hate images.

This has been occurring because most Zoom meetings have a public link that, if a person were to click it, it will allow them to join that meeting even though they are not a participant.  Zoombombers have been collecting these links and sharing them in private chat groups, and conducting disruptions.

Fortunately, on April 5th, Zoom turned on the passwords and waiting room features for meetings by default aimed at users of their free version and those with a single license version to help prevent “Zoombombing”.

These changes came right on time as Trent Lo, a cybersecurity researcher and members of a Kansas City-based security meetup group, SecKC, developed a program that can automatically scan for Zoom meeting IDs on the Internet.  The program titled “zWarDial” is able to identify approximately 100 Zoom meeting IDs in an hour and collect nearly 2,400 Zoom meetings IDs in a single day.

Another added benefit from the April 5th change is previously scheduled Zoom meetings will also have Zoom passwords automatically enabled.  Some experts have gone as far to categorize Zoom as malicious software or Malware as described in a recent article by The Guardian titled, “‘Zoom is malware’: why experts worry about the video conferencing platform”.  I personally would not take it that far to describe it as malware, but do fault Zoom for not following adequate SecSDLC procedures.  In additional, as in many applications, there are always deficiencies and bugs that will need to be remediated.

Hopefully these changes will provide the privacy protection needed to keep our events private and safe.

Please share your thoughts below.

WordPress 5.4 “Adderley” Released

WordPress 5.4 “Adderley” Released

WordPress 5.4 “Adderley” was released to the public on March 31, 2020. Check WordPress 5.4 announcement blogpost for more information on this release.

For Version 5.4, the database version (db_version in wp_options) updated to 47018, and the Trac revision was 47541.

You can find the full list of tickets included in 5.4 on Trac.

The WordPress 5.4 Field Guide has pertinent, in-depth information on the major technical changes for this release.